Easy Chroot SFTP configuration on CentOS 6 Tutorial

By | November 29, 2016
Easy Chroot SFTP configuration on CentOS 6 - Guide / Tutorial

Easy Chroot SFTP configuration on CentOS 6 – Guide / Tutorial

Easy Chroot SFTP configuration on CentOS 6

Chroot SFTP configuration on CentOS 6 – Guide / Tutorial.

One of the biggest concerns of any security conscious Unix Admins is how to secure SSH and SFTP access to a server.

Todays post will show you how to secure SSH to specific users, and limit other specified users to SFTP access only.

My easy Chroot SFTP configuration process will follow these steps –

1) Enable port 2222 for SSH access
2) Enable port 22 for SFTP only access
3) Configure sshd to route users of a specified group to only permit SFTP access
4) Configure your SFTP users home areas
5) Restart sshd to take effect!

So lets take each one in turn.

1) Enable port 2222 for SSH access

The easy one. sshd is your SSH daemon, its main config file is /etc/ssh/sshd_config

If you edit that and enable port 2222 like this –

near the top of the file you will already see Port 22 listed so simply add a second line for 2222 :

Port 22
Port 10222

2) Enable port 22 for SFTP only access

The logic for this should be relatively easy to follow. First you want to create a group for your SFTP users to be assigned to –

groupadd -g 1111 sftpusers

the 1111 can be any id number you want.

Now you want to assign your sftp users to your new group –

usermod -g sftpusers user1

Do the above for all required usernames. If for any reason you need the users primary group to be something else you can change the -g (primary group) to be -G (secondary group)

3) Configure sshd to route users of a specified group to only permit SFTP access

Now you need a section at the bottom in the /etc/ssh/sshd_config file you edited already above to push users from your group sftpusers to only have SFTP access –

Subsystem sftp internal-sftp -f LOCAL3 -l VERBOSE
Match LocalPort 22 Group sftpusers
ChrootDirectory /home/%u
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp

So the above says anyone using the default port of 22 who is in group sftpusers you want to ForceCommand to use internal-sftp

Check out -  How to stop people trying to hack your root logon

You can also see the ChrootDirectory is set to /home/$u which means you want the username used to use their home directory under /home

4) Configure your SFTP users home areas

The trickiest part but its actually not so hard, and ive written a little bash script which will do what you need based on the group id you used to create your sftpusers group earlier.

Before we get to the quick script the logic behind what we are about to do… Your aim is to force the user into a specific home directory, and to have only access to files under that home directory

If (like me) your users use /home/xxxxx for their home directories then this is still perfectly possible. You simply want to make the HOME area owned by root only, and only directories under the home directory to be read or writable to the specific username.

So… my little script (with an explanation under what it is doing) –

grep 1111 /etc/passwd | cut -d":" -f1 | while read LINE ; do
usermod -d /${LINE} -g sftpusers ${LINE}
chown root:root /home/${LINE}
chmod 755 /home/${LINE}
chown -hR ${LINE}:sftpusers /home/${LINE}/*
done

Line 1 – Get a list of users which have a group id of 1111 (group you created earlier), extract the username (1st column before :), and then read each line.

Then for each line do –

Line 2 – Remember in sshd_config you set the ChrootDirectory to be /home/%u ?? now you are saying use that /home as a base and set in the passwd file that the user will use / as its home directory based on that ChrootDirectory making /home/ to be the whole path. You also assign the user to the group sftpusers

Line 3 – Now you are setting the owner of the full home directory to be root and group to root as well.

Check out -  How to solve Wordpress login hack attempts

Line 4 – Then set full permissions to root on that home directory

Line 5 – And lastly set the owner of everything UNDER that home directory to be the username and group to sftpusers

5) Restart sshd to take effect!

Very important or it just wont work…

service sshd restart

Testing –

Set the password of one of your sftpusers to something you know, and just try it –

sftp user@servername

Log in and get a file!

Putting a file there is slightly more complex as the directory you are in is owned by root. therefore it is best to make another directory inside the users home directory with Write permissions to the user and group sftpusers

You now want to prove that your user is NOT able to connect using SSH…

ssh user@servername

You will get a login prompt but it will log you out as soon you as try to actually log in

It is also advisable to check you ARE able to log in as a non-sftp configured user! And you can also check that you are able to access SSH using port 2222 which you created earlier as well –

ssh -p 2222 user@servername

Thats it, if youve done everything above correctly you have now restricted access to your SFTP server. Was my Easy Chroot SFTP configuration useful to you? Subscribe to my website for more useful posts in the future! Check out my
other Bash Tips and Tutorials

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.